I am a Global Security Advocate for Akamai Technologies. I have almost two decades of industry experience with extensive experience in IT operations and management. I am the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. As well, I also serve on the (ISC)2 Board of Directors. Prior to my current role, I worked in the finance, healthcare, entertainment, manufacturing and critical infrastructure verticals. I've worked for a defense contractor as a security consultant to clients such as the FBI, US Navy, Social Security Administration, US Postal Service and the US Department of Defense to name a few. When not at work I can be found spending time with my family, playing bass guitar and polishing my brick of enlightenment.

iCloud Data Breach: Hacking And Celebrity Photos

A few days ago a group calling themselves hackappcom posted a proof of concept script on the popular code repository called Github that would allow for a user to attempt to breach iCloud and access a user account. This script would query iCloud services via the “Find My iPhone” API to guess username and password combinations. The problem here was that apparently AppleApple was not limiting the number of queries. This allowed for attackers to have numerous chances to guess password combinations without the fear of being locked out.

This script was an output from a talk that was given by Andrey Belenko and Alexey Troshichev called, “iCloud Keychain and iOS 7 Data Protection” at the Russian Defcon Group DCG#7812. Based on the note that they posted after the news of the breach started to circulate, they were rather upset that their script was being used to a malicious end.

In justification I can only mention, that we only described the way HOW to hack AppleID. Stealing private “hot” data is outside of our scope of interests. We discuss such methods of hacks in our’s narrow range, just to identify all the ways how privacy can by abused.

For everyone, who was involved in this incident, I want to remind, that today we are living in Brave New Global World, when privacy protection wasn’t ever so weak, and you have to consider, that all you data from “smart” devices could be accessible from internet,which is the place of anarchy, and, as result, could be source of undesirable and unfriendly activity.

The law of unintended consequences at its finest.

As a result, some ne’er do wells accessed the accounts of some Hollywood actors and leaked their personal pictures online. So, why were these pictures in iCloud? For those of you who may be unaware, iCloud is a service that is offered by Apple to backup data from a user’s iThinger of choice. This service could allow a person to backup their email, contacts, calendars, notes, passbook, keychain and photos to name a few. In the case of a large group of celebrities their data was breached when attackers gained access to their accounts. An unfortunate outcome to say the least.

I nervously checked the settings on my iPhone after news of this incident broke only to find that no, I was not using the service. No nude photos of me. Trust me, that’s a blessing.

While this incident has unfortunate ramifications for the victims it has been a great wake up call for others thanks to the huge amount of press coverage. This is an excellent opportunity for people to clean up their password practices and improve their personal security posture. So, how does one avoid this sort of problem? Well, there are few things that you can do to help to potentially avoid this type of end result. First off you can enable two factor authentication on your iCloud account. Once this is enabled a user would receive a four digit SMSSMS message with a code to input in addition to their password. This way, if a password is compromised the attacker would still need an SMS code to gain access to the user account.

A second thing to keep in mind is the use of a strong password. Using one such as “password1” is simply inviting disaster. You’d be better served using a password such as “hGYcq6QE6agG8[N&j+a.” or better still, a pass phrase.

The last piece to take into account is making use of a password manager. This is a piece of software that can manage your passwords for you securely. There are excellent products out there that can do this for you such as 1Password from Agilebits, Keepass and Lastpass to name a few.

It is early in the investigation into this breach but, [entity display="Apple" type="organization" subtype="company" key="apple" ticker="AAPL" exchange="NASDAQ" natural_id="fred/company/280" active="false"]Apple [/entity]managed to quickly patch the exposure. Hopefully, the worst is over for the affected parties.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.